Getting ready for the GDPR - Where should schools start?

On June 22 by Mark Orchison

As followers of our GDPR series will already be aware, compliance with GDPR is mandatory. (For an introductory overview, read our first GDPR article.) However, preparation takes time and is likely to be disruptive.

The nature of the regulation – combined with the fact that there’s limited guidance on the practical aspect for schools – makes the situation more complex. Add to this the fact that the boundaries of what is appropriate are still to be determined by case law, and it’s unsurprising if you’re struggling to know where to start.

Check out the ICO’s advice

“Implementing the GDPR could have significant resource implications, especially for larger and more complex organisations. You should raise awareness of the changes that are coming. Do not leave your preparations until the last minute.”

The implication is clear:

GDPR is coming – and you should be aware of the necessary changes.

It’s likely that there will be limited leniency to organisations who do not comply.

If you haven’t done so already, it’s worth taking the ICO’s self-assessment questionnaire. It will give you a good indicator of how prepared your school is for GDPR.

You should also show the ICO’s video to your governing body, to ensure they’re aware of all the issues.

Allocate additional resources

The GDPR makes clear that you’ll need to allocate additional resources to be compliant. The ICO also refers to this necessity, stating:

“The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility. You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances.”

The statement “comprehensive but proportionate governance measures” is important. Schools process a high volume of sensitive data relating to both students and staff. Under GDPR, you need to know what data you hold, where it is, who has access to it and how long it is to be stored. (Our second GDPR article tells you more about your data obligations.)

For each aspect of data processing, you need to implement a risk and privacy impact assessment – following the completion of these exercises, it could be determined that you’re demonstrating a comprehensive governance measure.

Where there are areas of high or critical risk, you’re obligated to take and document proportionate mitigation steps.

If you decide not to take mitigating steps – either because they’re not required or if you accept a higher level or risk due to specific circumstances – these reasons should also be documented.

Enlist the help of an expert

Doing nothing is not an option.

If you have limited resources – the situation we anticipate for a significant proportion of schools – it’s vital that you identify and document the risks immediately.

The good news is, we’re available to assist you at every stage of the GDPR journey. Our certified GDPR practitioner team will provide independent assurance, support, management and governance.

Want to keep up-to-date on all the latest on GDPR as the deadline approaches? Sign up here and you’ll get an update to your inbox whenever we publish anything new.